Inaccurate Utilization Rate Calculation Due to Non-Normalized Debt
Summary
The reserve interest update logic uses the raw total debt (reserve.totalUsage) to compute the utilization rate rather than using normalized debt, which factors in accrued interest. This leads to an understated utilization rate.
Vulnerability Details
In the code https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/libraries/pools/ReserveLibrary.sol#L208-L218
To calculate the utilization rate, the approach would be to use the normalized debt obtained via getNormalizedDebt as computedDebt and computedLiquidity. By neglecting accrued interest, the resulting utilization rate is lower than it should be, thereby causing borrow and debt rates to be miscalculated.
Impact
Mispricing of interest rates due to underreported utilization.
Tools Used
Manual code review
Recommendations
Update the utilization rate calculation to use the normalized debt (from getNormalizedDebt) instead of reserve.totalUsage.
Lead Judging Commences
updateInterestRatesAndLiquidity() uses reserve.totalUsage while other functions use getNormalizedDebt(), causing inconsistent utilization rate calculations
Appeal created
ReserveLibrary calculates computedDebt and computedLiquidity but never uses them, leading to stale totalUsage and totalLiquidity values in utilization rate calculations
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.